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closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
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Detailed Action 
Response to Arguments 

Applicant's arguments filed 6/22/10 have been fully considered but they are not 
persuasive. 

Applicant argues the following: 

a) Khidekel does not perform a security check to ascertain the identity of a user upon 
each access operation and therefore cannot assign any signature on the basis of the performed 
security check. Applicant further argues that Khidekel can eliminate the need for the user to 
authenticate with the server each time he wishes to access information on the secure server and 
therefore equates this to mean that Khidekel teaches away from performing a security check on 
each access operation. 

In response to a), examiner respectfully disagrees. Examiner maintains his stance that 
the validation of the timestamp information shows that a security check is performed upon each 
access operation. Assuming for sake of argument that Khidekel does not teach this limitation, 
applicant's specification specifically cites that at paragraph 10, "another advantage is that the 
method requires just one security check from the user, but otherwise takes place fundamentally 
unnoticed by the users, and is therefore particularly easy and noncomplex to handle." 

b) Khidekel does not teach signing each access operation to electronic data. 

In response to b), examiner respectfully disagrees. Khidekel teaches at paragraph 41 , 
maintaining records of each authentication, an audit trail and non-repudiation can be provided, it 
is further taught that each attempt to access or perform actions on stored secure files requires 
approval by the authentication server. Thus each attempt to access or perform actions on the file 
are validated and access operations are recorded, this keeps an audit trail of which files were 
accessed by whom and what actions were performed on them. 

c) Applicant argues that examiner has confused authorizing access with signing access 
operations. 
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In response to c) examiner respectfully disagrees. While Khidekel does indeed authorize 
access, it is explained above that Khidekel also maintains a record of each access operation and 
keeps track of not only who accessed what and when it was accessed, Khidekel further teaches 
that a log is kept of what action was taken on the file being accessed. Examiner believes this 
covers all of which is currently claimed by applicant. Furthermore, it is possible that applicant's 
arguments do not fall in line with the specification since it is specifically cited that only one 
security check is performed. 

Claim Rejections - 35 USC § 101 

1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or 
composition of matter, or any new and useful improvement thereof, may obtain a patent 
therefor, subject to the conditions and requirements of this title. 

Claims 1-8, 40-41 , and 43-46 are not statutory as they are drawn as a whole to an abstract idea. 

A review of the factors outlined in the July 27, 2010 policy memo and OG Notice, indicates that 

these claims are not statutory. These claims fail the machine or transformation test as the steps 

of a, b and c could be performed in one's mind or manually and involve only the general concept 

covering both known and unknown uses of the concept covered, and can be performed through 

any existing or future-devised machinery or even without any apparatus. 

Claim Rejections - 35 USC §112 

2. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and 
process of making and using it, in such full, clear, concise, and exact terms as to enable any 
person skilled in the art to which it pertains, or with which it is most nearly connected, to make 
and use the same and shall set forth the best mode contemplated by the inventor of carrying 
out his invention. 

3. Claims 1 , 9 and 29 are rejected under 35 U.S.C. 112, first paragraph, as failing to comply 
with the enablement requirement. The claim(s) contains subject matter which was not described 
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in the specification in such a way as to enable one skilled in the art to which it pertains, or with 
which it is most nearly connected, to make and/or use the invention. Said claims recite the 
limitation, "performing a security check upon each access operation." Applicant's specification 
does not show this and further cites that only one security check is performed. Appropriate 
correction is required. 



Claim Rejections - 35 USC § 103 

1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

2. Claims 1 -22, 25, 27-34, 36, 40-41 , 43-46 are rejected under 35 

U.S.C. 103(a) as being unpatentable over Khidekel (US PGP No. 20010027527) 
and further in view of Ballantyne (US Patent No. 5867821). 
As per claims 1,9, 16, 29 and 40, Khidekel teaches: 

A method for signing access operations to electronic data, comprising: 

performing a security check upon each access operation in order to ascertain the identity of a 
user; 

[see paragraph 0029] "The user can be authenticated based on the user's credentials" 
[see paragraph 35, wherein upon receiving the token, the secure server validates the 
token by comparing the difference between the current time and the authentication time 
to the predefined threshold to make sure a duration of time has not expired. It is clear 
from this that each access operation must be logged and a security check performed 
because if each access is not logged, there would be an error in the duration of time 
since the last access operation that was not logged. 

assigning a user signature, identifying the user, on the basis of the performed security check 
without being viewable by the user; 
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[see paragraph 0034] "Token" 

assigning a t least one role signature, each role signature being assignable to a plurality of users, 
on the basis of the performed security check without being viewable by the user; and 

[see paragraph 0039] ". . . business rules that indicate which users are authorized to take 
various types of actions..." 

signing each access operation to electronic data by specifying the user signature and the role 
signature; and 

[see paragraph 0034-0035] 

The Khidekel reference is mute in teaching the following limitations: 

recording each access operation and the user signature and the at least one role signature 
specified for each access operation. 

[see col. 8, lines 54-64, wherein all user accesses are documented.] it would have been 
obvious to one of ordinary skill in the art to modify the Khidekel reference to include this 
limitation taught by Ballantyne so that patients can request logs of who accessed their 
logs and when.] 



wherein each access operation is recorded in an audit memory, 

the user signature is recorded in the audit memory, and 

the at least one role signature is recorded in the audit memory. 

For the above limitations, examiner relies upon the Ballantyne reference. Ballantyne teaches at 
col. 8, lines 1-64, auditing user accesses to all the archived electronic health records contained 
in the master library (ML). Examiner views the identification number as analogous to the 
claimed user signature and the personal electronic profile as containing information analogous 
to the claimed role signature. Ballantyne teaches logging of all user actions as well as recording 
user accesses by ID numbers and accompanying user profiles. It would have been obvious to 
one of ordinary skill in the art to modify the Khidekel reference to include archiving of access 
operations in an audit memory as taught by Ballantyne in order to automate data collection and 
reduce manual collection and storage of user information. This in turn would create a more 
efficient and effective system. 
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As per claims 2, 10, and 30, Khidekel teaches: 

The method as claimed in claim 1 , wherein the security check involves biometric data from the 
user being ascertained. 

[see paragraph 0029] 

As per claims 3, 11, 17, and 31, Khidekel teaches: 

The method as claimed in claim 1 , wherein the security check involves reading at least one of an 
electronic and mechanical key. 

[see paragraph 0029, "smartcard"] 

As per claims 4, 12, 18, 19, 25, and 32, Khidekel teaches: 

The method as claimed in claim 1 , wherein the user signature to be assigned is ascertainable on 
the basis of the data ascertained in the security check, by checking a user signature memory. 

[see paragraph 0026, "database 24"] 

As per claims 5, 13, 20, 21, 27, and 33, Khidekel teaches: 

The method as claimed in claim 1 , wherein the role signature to be assigned is ascertainable on 
the basis of the data ascertained in the security check, by checking a role signature memory. 

[see paragraph 0026, "database 24" 

As per claims 6, 14, 22, 28, 34, Khidekel teaches: 

The method as claimed in claim 4, wherein the user signature memory is checked using a data 
telecommunication link. 

[see paragraph 0028, "communications can be sent over a secure socket layer"] 

As per claim 7, Khidekel teaches: 

The method as claimed in claim 1 , wherein one user is assignable a plurality of role signatures 
simultaneously. 

[see paragraph 0039, wherein specified physicians may be permitted to view patient 
records as well as modify them while administrative staff may only view patient records] 

As per claims 8, 15, and 36, Khidekel teaches: 

The method as claimed in claim 1 , wherein the data are medically relevant, wherein the users are 
medical specialist personnel, and wherein the roles are formed in line with the workgroups within 
the medical specialist personnel. 

[see paragraph 0025] 
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As per claim 41, Khidekel teaches: 

The method as claimed in claim 40, wherein an access operation can be reconstructed by 
specifying at least one of the user's former and current role signatures. 

[see paragraph 41, resubmit credentials for re-authentication. 
As per claims 43-46, Ballantyne teaches: 

The method as claimed in claim 1 , wherein the user signature memory and the role signature 
memory are maintained independently from the audit memory. 

[see col. 15, lines 40-67, and col. 16, lines 1-13] 



POINTS OF CONTACT 

*. Any response to this Office Action should be faxed to (571 ) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner 
can normally be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on 571-272-4195. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
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may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 

/Daniel L. Hoang/ 
Examiner, Art Unit 2436 



/Nasser G Moazzami/ 

Supervisory Patent Examiner, Art Unit 2436 



